Analysis Overview
SHA256
c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099
Threat Level: Known bad
The file MALZ6.zip was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Windows security bypass
Ramnit
Mrblack family
Gh0strat family
Gh0strat
Gh0st RAT payload
Modifies firewall policy service
MrBlack trojan
Ramnit family
Modifies RDP port number used by Windows
Deletes itself
Loads dropped DLL
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Windows security modification
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Indicator Removal: File Deletion
UPX packed file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Program crash
Suspicious behavior: RenamesItself
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Checks processor information in registry
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-07 18:43
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat family
MrBlack trojan
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mrblack family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral29
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:08
Platform
win11-20241007-en
Max time kernel
436s
Max time network
1157s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wrt1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:41
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\cctv_2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cctv_2.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cctv_2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\cctv_2.exe
"C:\Users\Admin\AppData\Local\Temp\cctv_2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | bmhvac.com | udp |
| US | 199.59.243.227:443 | bmhvac.com | tcp |
| US | 207.97.216.207:443 | jhampe.com | tcp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
Files
memory/2764-0-0x0000000000400000-0x000000000040D000-memory.dmp
memory/2764-3-0x0000000077B15000-0x0000000077B16000-memory.dmp
memory/2764-2-0x0000000077B14000-0x0000000077B15000-memory.dmp
memory/2764-1-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2764-4-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2764-5-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2764-6-0x0000000000400000-0x000000000040D000-memory.dmp
memory/2764-7-0x000000007FE70000-0x000000007FE7C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:48
Platform
win11-20241007-en
Max time kernel
438s
Max time network
1160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cn1.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cn1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cn1.exe
"C:\Users\Admin\AppData\Local\Temp\cn1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 236
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:51
Platform
win11-20241007-en
Max time kernel
435s
Max time network
1158s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\java (2)"
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:06
Platform
win11-20241007-en
Max time kernel
489s
Max time network
1798s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX2063534F = "C:\\Windows\\XXXXXX2063534F\\svchsot.exe" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\XXXXXX2063534F\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| File opened for modification | C:\Windows\XXXXXX2063534F\svchsot.exe | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | la.linkpc.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| US | 8.8.8.8:53 | le.linkpc.net | udp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
| IE | 52.213.114.86:8000 | www.fz0575.com | tcp |
| IE | 52.213.114.86:2011 | www.fz0575.com | tcp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| IE | 52.213.114.86:8000 | www.fz0575.com | tcp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
| US | 146.235.202.85:6380 | la.linkpc.net | tcp |
| IE | 52.213.114.86:8000 | www.fz0575.com | tcp |
| SG | 139.99.66.103:6380 | le.linkpc.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | 79f9d1af3af73660bb33682aad5f2329 |
| SHA1 | d02d2d83b9887bfc12e3a3e47e6a700e68406e6b |
| SHA256 | bdea8fddd42a2a8a0130dbfa5e606fd4bcd36a258e748bb5a4ec48223bdb9891 |
| SHA512 | 11f186b65f13fd7f0ac2af2b527f57d1a7d0ac8bda16bb5edcc1cb991595370dd6832aebe292009db5d35ee0441eb95bb80915ddff158b1cc2256bf18cc4a23b |
memory/5064-12-0x0000000010000000-0x0000000010121000-memory.dmp
memory/5064-20-0x00000000007C0000-0x0000000000800000-memory.dmp
memory/5064-17-0x0000000010000000-0x0000000010121000-memory.dmp
memory/5064-15-0x0000000010000000-0x0000000010121000-memory.dmp
memory/5064-14-0x0000000010000000-0x0000000010121000-memory.dmp
memory/5064-13-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4464-28-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4140-40-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4140-37-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4140-38-0x0000000010000000-0x0000000010121000-memory.dmp
memory/924-52-0x0000000010000000-0x0000000010121000-memory.dmp
memory/924-50-0x0000000010000000-0x0000000010121000-memory.dmp
memory/924-49-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4832-64-0x0000000010000000-0x0000000010121000-memory.dmp
memory/3016-76-0x0000000010000000-0x0000000010121000-memory.dmp
memory/3016-74-0x0000000010000000-0x0000000010121000-memory.dmp
memory/3016-73-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4832-62-0x0000000010000000-0x0000000010121000-memory.dmp
memory/4832-61-0x0000000010000000-0x0000000010121000-memory.dmp
memory/5064-852-0x0000000010000000-0x0000000010121000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:03
Platform
win11-20241007-en
Max time kernel
445s
Max time network
1167s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sqlrer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:40
Platform
win11-20241007-en
Max time kernel
429s
Max time network
1154s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\awuphukcry | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\afjjpxmaet | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\anwcxbpwrp | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\jnjcfjifhg | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5360 wrote to memory of 5936 | N/A | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | \??\c:\users\admin\appdata\local\jnjcfjifhg |
| PID 5360 wrote to memory of 5936 | N/A | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | \??\c:\users\admin\appdata\local\jnjcfjifhg |
| PID 5360 wrote to memory of 5936 | N/A | C:\Users\Admin\AppData\Local\Temp\bjyk.exe | \??\c:\users\admin\appdata\local\jnjcfjifhg |
Processes
C:\Users\Admin\AppData\Local\Temp\bjyk.exe
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe"
\??\c:\users\admin\appdata\local\jnjcfjifhg
"C:\Users\Admin\AppData\Local\Temp\bjyk.exe" a -sc:\users\admin\appdata\local\temp\bjyk.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1696 -ip 1696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 900
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4536 -ip 4536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1136
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5472 -ip 5472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 1080
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conf.f.360.cn | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5360-0-0x0000000000400000-0x0000000000432800-memory.dmp
C:\Users\Admin\AppData\Local\Temp\foi903A.tmp
| MD5 | 4f407b29d53e9eb54e22d096fce82aa7 |
| SHA1 | a4ee25b066cac19ff679dd491f5791652bb71185 |
| SHA256 | cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc |
| SHA512 | 325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183 |
memory/5360-8-0x0000000002050000-0x00000000020C4000-memory.dmp
memory/5360-7-0x0000000002050000-0x00000000020C4000-memory.dmp
memory/5360-9-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\jnjcfjifhg
| MD5 | 80a94e1cbefc8aec2d2e12e529360c96 |
| SHA1 | 6023259335ef17afbb1e6559ab8d86dd625a9e10 |
| SHA256 | 065425c2565cd89a1700bdfc6025573e148b416b57d4f0047bb3e0a68d19a3a4 |
| SHA512 | d8c3412d9108a2fdbfd4e42b38de4858c0a6565562599fd0a90949734d6fb71ca1431fc30e6d9b274cc9364cfb3933842d20ba61c135bf186b862065e0d3f298 |
memory/5936-14-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5360-18-0x0000000002050000-0x00000000020C4000-memory.dmp
memory/5360-17-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5936-25-0x0000000002170000-0x00000000021E4000-memory.dmp
memory/5936-27-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5936-26-0x0000000002170000-0x00000000021E4000-memory.dmp
\??\c:\programdata\drm\%sessionname%\wylpn.cc3
| MD5 | 9789844457c403ea9a5494c034817215 |
| SHA1 | f24fb6d2508e147328cc6568c2983d0a505b5c71 |
| SHA256 | 5fdc3f0216168c04ffcf1661165ce25c7bce8db8a3f70096af1fe8b43e9d9bb8 |
| SHA512 | 280b1fc68bad7dd8cde5c1f21d6f021d5fba01d444b53917946bacf9288b8c7abc20cebc694af99ad3c0ba56e50e7e5a45de582ca25923a9827583e0275d44ee |
memory/5936-33-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5936-32-0x0000000002170000-0x00000000021E4000-memory.dmp
memory/1696-34-0x00000000013F0000-0x00000000013F1000-memory.dmp
memory/1696-36-0x0000000020000000-0x0000000020027000-memory.dmp
memory/4536-38-0x00000000015E0000-0x00000000015E1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | 19a606d0d02ad08f66f6783550c86640 |
| SHA1 | 0cb011a99c696ca80a0cb8c09739279ad96b4403 |
| SHA256 | d8206ec6e1692a5f751767abae6b4750d9271de914ad73338c694c791c677ee6 |
| SHA512 | fc4d7079e8c97223b10725edd7ec2d4998b9dd743ec3ae1b8e16551286f8e1b97281d69df5fa28f618bded9a8d7a018e7fbe5b480b353772a5b26493f00e983a |
memory/4536-41-0x0000000020000000-0x0000000020027000-memory.dmp
memory/5472-43-0x00000000014D0000-0x00000000014D1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | 2b9c0708448e312e893095af8964ecf2 |
| SHA1 | c0f77d0c774043cebaf6ee47db977cf0ccb1cf8e |
| SHA256 | db7f82ec4ee167a7b030856af21c8a1dc870b8f75182924e67918faa60ff029f |
| SHA512 | 2a97e7e55dbcbddc0af7b86c41ef8e7368e7854ddae6b0b6936f4604aeba33205a85d71f4718603b259098bb08c31e032d31141926990d0978d091ea66637ee8 |
memory/5472-46-0x0000000020000000-0x0000000020027000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:02
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1799s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\smss.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smssSrv.exe | N/A |
Enumerates connected drives
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\smssSrv.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smssSrv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
C:\Users\Admin\AppData\Local\Temp\smssSrv.exe
C:\Users\Admin\AppData\Local\Temp\smssSrv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3096 -ip 3096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 320
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | uxzqya.com | udp |
| LU | 80.92.65.214:443 | tiipme.com | tcp |
| US | 198.59.144.26:443 | pscite.com | tcp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| CN | 106.75.174.201:443 | mesike.com | tcp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ddos.lyjq.org | udp |
Files
memory/2480-0-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smssSrv.exe
| MD5 | 5cdc5ad14f0f7476711d2ab65607fe5b |
| SHA1 | d03fa4a202afc929725f969471a8c1d5943fd12a |
| SHA256 | 4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97 |
| SHA512 | b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2 |
memory/3096-6-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3096-5-0x0000000002010000-0x000000000201F000-memory.dmp
memory/3096-4-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2480-7-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2480-8-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2480-10-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2480-9-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2480-12-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2480-25-0x000000007FE70000-0x000000007FE7C000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:06
Platform
win11-20241007-en
Max time kernel
446s
Max time network
1168s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ssh.sh
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:10
Platform
win11-20241007-en
Max time kernel
439s
Max time network
1160s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yk.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\fsvynmtudl | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\fbkrvpvspg | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\fkhgfjqwpp | C:\Windows\SysWOW64\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yk.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ostiusdoqs | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5628 wrote to memory of 5752 | N/A | C:\Users\Admin\AppData\Local\Temp\yk.exe | \??\c:\users\admin\appdata\local\ostiusdoqs |
| PID 5628 wrote to memory of 5752 | N/A | C:\Users\Admin\AppData\Local\Temp\yk.exe | \??\c:\users\admin\appdata\local\ostiusdoqs |
| PID 5628 wrote to memory of 5752 | N/A | C:\Users\Admin\AppData\Local\Temp\yk.exe | \??\c:\users\admin\appdata\local\ostiusdoqs |
Processes
C:\Users\Admin\AppData\Local\Temp\yk.exe
"C:\Users\Admin\AppData\Local\Temp\yk.exe"
\??\c:\users\admin\appdata\local\ostiusdoqs
"C:\Users\Admin\AppData\Local\Temp\yk.exe" a -sc:\users\admin\appdata\local\temp\yk.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6000 -ip 6000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 1104
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1972 -ip 1972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 884
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6020 -ip 6020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6020 -s 860
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conf.f.360.cn | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5628-0-0x0000000000400000-0x0000000000432800-memory.dmp
C:\Users\Admin\AppData\Local\Temp\api9700.tmp
| MD5 | 4f407b29d53e9eb54e22d096fce82aa7 |
| SHA1 | a4ee25b066cac19ff679dd491f5791652bb71185 |
| SHA256 | cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc |
| SHA512 | 325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183 |
memory/5628-7-0x0000000000760000-0x00000000007D4000-memory.dmp
memory/5628-9-0x0000000000401000-0x0000000000402000-memory.dmp
memory/5628-8-0x0000000000760000-0x00000000007D4000-memory.dmp
C:\Users\Admin\AppData\Local\ostiusdoqs
| MD5 | 503f589f44c4feeaf8b59587dac73711 |
| SHA1 | 583012bfe244f5582e625ba3fb85c7043992c03c |
| SHA256 | 1a1efbf1f49754a2350a797e81ba51c1579445eac5771fcde40c82281431f55d |
| SHA512 | 6ba16a5ef96d612668854869395cf1095a218e4bb59edf28e1c98a2c003ab182fa4293059a1b471388a297d70e28f8210c2396da6e752df12804be98eeed6f9c |
memory/5752-14-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5628-18-0x0000000000760000-0x00000000007D4000-memory.dmp
memory/5628-16-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5752-24-0x0000000000760000-0x00000000007D4000-memory.dmp
memory/5752-26-0x0000000000760000-0x00000000007D4000-memory.dmp
memory/5752-27-0x0000000000400000-0x0000000000432800-memory.dmp
\??\c:\programdata\drm\%sessionname%\cmwkx.cc3
| MD5 | dc7b954c0eb460183e4daac5fa8d3980 |
| SHA1 | 9b99f89bfe3c3ff78ed872b80f2abb2970f889df |
| SHA256 | 99bfab4b4d78d6f7da17662d533cb3cf11e6973ed4fe976bcbd02238558b206e |
| SHA512 | 05bd723bcd2ee5ec9249c5647a103bdd9fb4860d57933003d2d7e815b7b0046a982cc5090bc7439309b60a762bda9a89bbd60ba2b01b7aa13ab79ea5c5b5f174 |
memory/5752-33-0x0000000000400000-0x0000000000432800-memory.dmp
memory/5752-32-0x0000000000760000-0x00000000007D4000-memory.dmp
memory/6000-34-0x0000000001550000-0x0000000001551000-memory.dmp
memory/6000-36-0x0000000020000000-0x0000000020027000-memory.dmp
memory/1972-38-0x0000000001D90000-0x0000000001D91000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | b391319a7d810fa7dd9a7afce7903ad0 |
| SHA1 | c043d5aed45796cee675490374849edff90c6632 |
| SHA256 | 86958c9009f43ed573027fd2d50b465459c0081a399ee7a712b835221af1079c |
| SHA512 | f1773a14d96418d0ae8772b38329e0063d5339714ee9b46beab969b310b491c91a6bcb4f701bfda27b85177e64c6361912bcd7ee361b1f7a35e3319d38691c4d |
memory/1972-41-0x0000000020000000-0x0000000020027000-memory.dmp
memory/6020-43-0x0000000001DD0000-0x0000000001DD1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | a1d72c8f960d827f6e654d1b769de787 |
| SHA1 | 6f7b4ac429f1a1f5713349e110ccf9ccad350839 |
| SHA256 | fb2cdedaa01e73a7e8e2584923380695333fe973994cd0bc0d86a6d979dc0dd2 |
| SHA512 | 037e0070832d3684b7ebd53b64ba6ccfac6fa1ae8fb4af63e6cce217bf045e420f41904ffd831466258903b538543a7f1c34d2d91fbc0d7779e4a2f16fa63a88 |
memory/6020-46-0x0000000020000000-0x0000000020027000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:59
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1631s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\mh.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mh.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\gyggue.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\gyggue.exe | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gyggue.exe | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\gyggue.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\gyggue.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\gyggue.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\gyggue.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\mh.exe
"C:\Users\Admin\AppData\Local\Temp\mh.exe"
C:\Windows\SysWOW64\gyggue.exe
C:\Windows\SysWOW64\gyggue.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5780-0-0x0000000000400000-0x0000000000436000-memory.dmp
memory/5780-1-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/5780-3-0x00000000774B5000-0x00000000774B6000-memory.dmp
memory/5780-2-0x00000000774B4000-0x00000000774B5000-memory.dmp
memory/5780-4-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/5780-5-0x000000007FE70000-0x000000007FE7C000-memory.dmp
C:\Windows\SysWOW64\gyggue.exe
| MD5 | 990ced068a35be3f8092c491bf2a6dbb |
| SHA1 | b9303bd5671d66b7b5520da2a12f7243b05235f4 |
| SHA256 | 22e44f753597c056b7b1eba9728043e7e6dbdf94f0f66f06e6bdd1fdba096fb2 |
| SHA512 | 28ee629fc56a204f2e40f6f1c42e45dd142800ea07277d8d89f3d7522fbe290d32240668543e679b6e40e6d68b2f9a65cd6bf6168a4d9a79859e49df2ae5f48e |
memory/5780-9-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/5780-11-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/5780-10-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/5780-12-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/5780-15-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/5780-18-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2800-19-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2800-39-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2800-59-0x0000000000400000-0x0000000000436000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:01
Platform
win11-20241007-en
Max time kernel
448s
Max time network
1171s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\rootkit
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:02
Platform
win11-20241007-en
Max time kernel
432s
Max time network
1155s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\djjgtulhew | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\dswacxofrr | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\dbunmrjjrb | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\frddnqidbl | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3388 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | \??\c:\users\admin\appdata\local\frddnqidbl |
| PID 3388 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | \??\c:\users\admin\appdata\local\frddnqidbl |
| PID 3388 wrote to memory of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | \??\c:\users\admin\appdata\local\frddnqidbl |
Processes
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
\??\c:\users\admin\appdata\local\frddnqidbl
"C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1252 -ip 1252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1100
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1884 -ip 1884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1108
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1112
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conf.f.360.cn | udp |
Files
memory/3388-0-0x0000000000400000-0x0000000000432800-memory.dmp
C:\Users\Admin\AppData\Local\Temp\doi8F20.tmp
| MD5 | 4f407b29d53e9eb54e22d096fce82aa7 |
| SHA1 | a4ee25b066cac19ff679dd491f5791652bb71185 |
| SHA256 | cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc |
| SHA512 | 325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183 |
memory/3388-5-0x0000000002080000-0x00000000020F4000-memory.dmp
memory/3388-8-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\frddnqidbl
| MD5 | 2062a529abc59129add396f1ebb0989a |
| SHA1 | 791da57ab89a38239dfe8e0541daecdd86fe8cd6 |
| SHA256 | a49cceb58bcb389c7d0cc8f82f6786da626d4b643eb55fae5179462ea124718d |
| SHA512 | 6846e2cd4ab52f3a0f1ce35d29c8c484878a1c753f85d7202023179232d3aa55c6f0b7f6c619e46afa3b1844e3ccfa4b0d4753ef20f6d7ee5c5704929cb607f7 |
memory/3476-15-0x0000000000400000-0x0000000000432800-memory.dmp
memory/3388-18-0x0000000002080000-0x00000000020F4000-memory.dmp
memory/3476-24-0x0000000002150000-0x00000000021C4000-memory.dmp
memory/3476-25-0x0000000000400000-0x0000000000432800-memory.dmp
memory/3388-17-0x0000000000400000-0x0000000000432800-memory.dmp
\??\c:\programdata\drm\%sessionname%\yidwd.cc3
| MD5 | c3f06f5383899953a4b2e9818893ba1c |
| SHA1 | 0511329a38cd458d955aeaa5cf4c5371f56f8e3d |
| SHA256 | f14893eb1ee1fcec69a3b5e3af7eb83dbf8f576140cb06ec7e6adf14fa9ba62e |
| SHA512 | 40ab9313029953fc5ba9fb1051f97ad55224a31413b5437f70b90b3122147df11ebffefbaabb0997a2c325f2f48efaf04e2b613dad3d6489679b6ede89a216b2 |
memory/3476-30-0x0000000002150000-0x00000000021C4000-memory.dmp
memory/3476-31-0x0000000000400000-0x0000000000432800-memory.dmp
memory/1252-32-0x0000000001610000-0x0000000001611000-memory.dmp
memory/1252-34-0x0000000020000000-0x0000000020027000-memory.dmp
memory/1884-36-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | 89210fb1a54248dbf727b8daddee654f |
| SHA1 | aa48bb74ead4d55b4cb71e7f09ff4af818de612c |
| SHA256 | 9578cffa98a69caef47fd6a9ac856d9b3e16892a322ecc18b030cc45d6f8b2ff |
| SHA512 | dcfb5c3cc91fac21d02ea41e822041a0abfb3c8697ccaed5dadc14cbbe69b652444fdbc5abe248c28cd6d3c1d811d22ea8823989cafa5fc467ca6b705d0c708d |
memory/1884-39-0x0000000020000000-0x0000000020027000-memory.dmp
memory/1828-41-0x00000000019E0000-0x00000000019E1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | 72c121ad4fc5d889ee205b1d0634fd05 |
| SHA1 | 9b35ea724f257d9e3d90ccdd53445a9247b574c8 |
| SHA256 | 7a0f63f60f741c1463e4bbd0d69f9234b3931e569225720f6c70d45d4c33d741 |
| SHA512 | c5162329dcdd0304e4662651fb2ad176c379b5d2446e9aed3fa22a42af62fb40e1120c73e06bd74f05ec9af05ab3e5868e05787e11eeafe667a9b44db81dbab7 |
memory/1828-44-0x0000000020000000-0x0000000020027000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:04
Platform
win11-20241007-en
Max time kernel
432s
Max time network
1157s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\squld
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:40
Platform
win11-20241007-en
Max time kernel
445s
Max time network
1170s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:45
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1783s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\DProtectSupport\svchost.exe.bak | C:\Users\Admin\AppData\Local\Temp\cn.exe | N/A |
| File created | C:\Windows\system\DProtectSupport\svchost.exe | C:\Users\Admin\AppData\Local\Temp\cn.exe | N/A |
| File opened for modification | C:\Windows\system\DProtectSupport\svchost.exe | C:\Users\Admin\AppData\Local\Temp\cn.exe | N/A |
| File opened for modification | C:\Windows\system\DProtectSupport\fake.cfg | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
| File created | C:\Windows\system\DProtectSupport\fake.cfg | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cn.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\system\DProtectSupport\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cn.exe
"C:\Users\Admin\AppData\Local\Temp\cn.exe"
C:\Windows\system\DProtectSupport\svchost.exe
C:\Windows\system\DProtectSupport\svchost.exe
Network
| Country | Destination | Domain | Proto |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp | |
| CN | 222.186.34.91:10711 | tcp |
Files
memory/1476-0-0x0000000000400000-0x0000000000516F33-memory.dmp
memory/1476-1-0x0000000000400000-0x0000000000516F33-memory.dmp
memory/1476-2-0x0000000000400000-0x0000000000516F33-memory.dmp
C:\Windows\System\DProtectSupport\svchost.exe
| MD5 | eb6b77778c65e43ff9b3e3d43e1b73d5 |
| SHA1 | 81172f2a3e4b387e20e3d404a09c3487d5601f70 |
| SHA256 | 2afc2f49dd75c30e378fd9af09d1ff288583eb3a02b1b5efa53864fe876288df |
| SHA512 | 24c511205d6a452c7068c7a1db112042441aadf05e66665cd5caf979b1267b5512588819a24aabd0f159697faa00f417713336bbd14be9b1469d4b8aad948bd2 |
memory/1476-11-0x0000000000400000-0x0000000000516F33-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:57
Platform
win11-20241007-en
Max time kernel
440s
Max time network
1164s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ly1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:40
Platform
win11-20241007-en
Max time kernel
437s
Max time network
1160s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UDP.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UDP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UDP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\UDP.exe
"C:\Users\Admin\AppData\Local\Temp\UDP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/1656-0-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1656-1-0x0000000000400000-0x0000000000408000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:40
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1801s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\cctv.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cctv.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cctv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\cctv.exe
"C:\Users\Admin\AppData\Local\Temp\cctv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 54.235.162.81:443 | loopmd.com | tcp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
Files
memory/2332-0-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cni831A.tmp
| MD5 | 685f1cbd4af30a1d0c25f252d399a666 |
| SHA1 | 6a1b978f5e6150b88c8634146f1406ed97d2f134 |
| SHA256 | 0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4 |
| SHA512 | 6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9 |
memory/2332-5-0x0000000000970000-0x00000000009E3000-memory.dmp
memory/2332-8-0x0000000000970000-0x00000000009E3000-memory.dmp
memory/2332-9-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2332-11-0x00000000770B5000-0x00000000770B6000-memory.dmp
memory/2332-10-0x00000000770B4000-0x00000000770B5000-memory.dmp
memory/2332-12-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2332-13-0x0000000000970000-0x00000000009E3000-memory.dmp
memory/2332-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2332-22-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2332-47-0x0000000000970000-0x00000000009E3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:00
Platform
win11-20241007-en
Max time kernel
427s
Max time network
1150s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pjhxx
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:10
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1631s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\yk1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yk1.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\zebhau.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zebhau.exe | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zebhau.exe | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\zebhau.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zebhau.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zebhau.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\yk1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\zebhau.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\yk1.exe
"C:\Users\Admin\AppData\Local\Temp\yk1.exe"
C:\Windows\SysWOW64\zebhau.exe
C:\Windows\SysWOW64\zebhau.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mhyk.lyjq.org | udp |
| US | 8.8.8.8:53 | mhyk.lyjq.org | udp |
Files
memory/2536-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2536-1-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2536-2-0x0000000077554000-0x0000000077555000-memory.dmp
memory/2536-3-0x0000000077555000-0x0000000077556000-memory.dmp
memory/2536-4-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2536-5-0x000000007FE70000-0x000000007FE7C000-memory.dmp
C:\Windows\SysWOW64\zebhau.exe
| MD5 | 76eb54ffd5a2a2e161b45a9b4e24b71b |
| SHA1 | 4031978e9de0805858233e45b9109c376dce1db1 |
| SHA256 | 5ecc331e0704bb6756aaacc19bd3d356d9c6851819c18df5be8ef76ba46cde95 |
| SHA512 | 119807cddeb634de800d82fa7eae3d11a40bf2732bac8e6a3a31c14600dee1abcdb945fbb5349895b945120c70a5e4fa9629c26f33cc5972ad0449489ef569d1 |
memory/2536-9-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/2536-11-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/2536-10-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/2536-12-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2536-13-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/2536-18-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1548-19-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:52
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\k5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\k5.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
Modifies RDP port number used by Windows
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\nslfoo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\nslfoo.exe | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| File opened for modification | C:\Windows\nslfoo.exe | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\k5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\nslfoo.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\nslfoo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\nslfoo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\nslfoo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| N/A | N/A | C:\Windows\nslfoo.exe | N/A |
| N/A | N/A | C:\Windows\nslfoo.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\nslfoo.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\k5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\k5.exe
"C:\Users\Admin\AppData\Local\Temp\k5.exe"
C:\Windows\nslfoo.exe
C:\Windows\nslfoo.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1408 -ip 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1392
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| DE | 83.133.119.197:80 | tcp | |
| DE | 83.133.119.197:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
| US | 8.8.8.8:53 | k5.lyjq.org | udp |
Files
memory/1408-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1408-2-0x0000000077A44000-0x0000000077A45000-memory.dmp
memory/1408-1-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1408-4-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1408-3-0x0000000077A45000-0x0000000077A46000-memory.dmp
memory/1408-5-0x000000007FE70000-0x000000007FE7C000-memory.dmp
C:\Windows\nslfoo.exe
| MD5 | 145c9edca1151d477e5c339b6d797cbd |
| SHA1 | f09d773d50f87c47500305e79bc1e6fcf503ebd6 |
| SHA256 | ed989d9d7e04a312dffe2fdd8dd30273d5b07ee56941f1a724b6143752ef42da |
| SHA512 | 10f5d6cacbbc96fa22c097f5b519fe1738a5531820518af00cedf8ca9112808bc2c2871845f85f496a1d08695441262ab3ed57068e6d029ec1e5aabdb32d47df |
memory/1408-11-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/1408-10-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/1408-9-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/1408-15-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1408-12-0x000000007FE60000-0x000000007FE6C000-memory.dmp
memory/1408-18-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3780-19-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:07
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1686s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133780918712778152" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\wm.html
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0e07cc40,0x7ffe0e07cc4c,0x7ffe0e07cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2068 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2960,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4504,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4644,i,16240704164810270292,13529596998773864541,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
\??\pipe\crashpad_4176_LILZNRUUIXBYVUMM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 409d8a3f533570c9014e2138ade3b60a |
| SHA1 | cf3fb8050666dfbab8102f97eef6b6cb4eeac2b9 |
| SHA256 | 78a057e063d5e9d791e098d53a659425a52f08bdcd29d2d5ab8dc79804308b23 |
| SHA512 | 96a65bb1cc4e7eb6dbea0a2a9b27e1f982aa486b56f5cee6a3ee846015d7df0d48e179b096826ae9990a56aeb4bde448132eabae81b9375cf752e08b112e9ea3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 660200eb3929e92ba84788fc3c0390b9 |
| SHA1 | 7ae088601bc7bbedffdb76fce5d2a233fac63025 |
| SHA256 | c2d004bb704ed5309ba363ec094b22c8c2cc6da1fd36ec168b8c71e30a0008fe |
| SHA512 | 0fa78db29e6883f6f2ded73ef9bce42db0d23e5b0be5396b1ce89c40adee267da156054170a29ca9864af0d6b69ea2a588e18fc82ad1fe64465dd33572ce0fbd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fa44a2e2937cff1d83b23c028b62a15b |
| SHA1 | e5e19930482fdfffc3b1f36ae646de019fbfdd00 |
| SHA256 | 75ad1c6bc4712287c9d4016663b67df1b39cf410f5f6ba4209142a14754d1eec |
| SHA512 | ca343b3c26be418b8d444201dbb9b13117db81dc2fc8732ccff2e8e09f2876335dc58bb8a6f4b85800f3d2749d13d5d7d7cf3fccc9f1543777e60ecef2d80486 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b7232f3209f39f9fd2246012409919be |
| SHA1 | dd8154a153b44f0793dfbaecaa13f33c47b74b4f |
| SHA256 | 9a3e58a26240b3fa173182e4c4033d3a0a7bee4ea0d0f4545cdb9232216a4d35 |
| SHA512 | 0abdd032dec70634cabacf9ae6f1abbcdea94136c53340cfae5e5393eb159b3093b6e1b5b4371c5ea0b8d207869a44c8f577dd887d16934b84156f98dea32acb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9761797cf8ffc7c18a871f34c4a18c88 |
| SHA1 | 42f379de63c9c2a9439361ae90ac6e00e5c0810d |
| SHA256 | fa70d1e9d9dcf46afbc30e6d17b358af5691b73f5a4853066579f75f7af1d3d6 |
| SHA512 | 58716adad5a311b94460bce12e19ae9e12dad2ec2474eeab9aa4fe10faa85648fc2f4ce04abfa43e4fe5a1529282f8b02320935b09e7444ee8921709dd4299f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 05d1a39cf4946b1d978fa81aad933f06 |
| SHA1 | 4f60beaca748d1c6ee84db3eb29f93026baacf53 |
| SHA256 | abbcdf2eea22099911983b3bfdb0a0b280ad838086408e790cab7a8a33d0199d |
| SHA512 | b23402e4b759125750800cb0613facab71cb690ff0ad5ea4e693ab27beced5d78397b92cc4fb007c17803c5651de193be35e0e7a50fe3c551e63056a54a4c9ce |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 33e0df4f32906eeb9a404050c2a2490e |
| SHA1 | 15120bc60423845bfa50adc873b95e1a3e316829 |
| SHA256 | a5689cc97c7f282ace71a2e091ec2819dde2b38f34da5593b50eb745aba16e4b |
| SHA512 | ca876fdd47bc61b4b3b2672c4e02fb705bb42fca8a9fce136654a71a88cc014f5987787485b5ff4ea8ee4af4c843e45fdde0324ddebc1e4de332134deed0a07b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 507bde5b67fcbcd882d1d2dd4054ae84 |
| SHA1 | d296f90f995ae1935a55979cdbd9ce0c70383c4b |
| SHA256 | 9c7e40dd53f7924f080c4c37cb4e01a78d6da9cd56673b03fbdd1fd06f2aa6c5 |
| SHA512 | 90019f6337fd53ed270707b498ba25cbe3d3673e77e392a3b3e18bde45b26ebcf0fdd8ac5dbb223eefd3ed3cabbca17bbaafc4e4127cf6bbd61370ba6dc8c7c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\697d3f49-b079-4a5c-80a7-f35b10e44bf7.tmp
| MD5 | 5f5daf3b253e0e1d9edba627a7ee0bd1 |
| SHA1 | d24a7ed98601fe50312d6bfad35db57e361e849c |
| SHA256 | ef65c320ba780b61a77a01bfc1b0700d80b6186e192724dffce336757a764306 |
| SHA512 | 0a34d3faab80fbae795cb035b7aacce6d05cc9857439c28f2e622381f9c9e6255551f06626baa367d62245e94dbf63a4d1e04117bbc82cbf5036760548ce5fb3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bb3e144c342ed5649f6a0c6b161a2cad |
| SHA1 | 72a6c3edeb0fd261787a669697ebd05cf1e22372 |
| SHA256 | fdf518c21a7120ce33bfedc91112b203270da6d9a42cec92d936014079cc81b1 |
| SHA512 | 3bb9396edcff9f7498da5644b598142c76e40be9b87f5889ff7d8cb598f5dca41568fcb9912b710793a7265ee5f454e43db2766ef4da3f460db4cc1579ce01d6 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | b5ad5caaaee00cb8cf445427975ae66c |
| SHA1 | dcde6527290a326e048f9c3a85280d3fa71e1e22 |
| SHA256 | b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8 |
| SHA512 | 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f |
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | d222b77a61527f2c177b0869e7babc24 |
| SHA1 | 3f23acb984307a4aeba41ebbb70439c97ad1f268 |
| SHA256 | 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747 |
| SHA512 | d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 11dce516e47d4fa69447c87bddb73e72 |
| SHA1 | d931c4ed006df8f2cf515231e473370ba518a49c |
| SHA256 | 84067eb182a4a93f2de4c2dc57bba1f9c34a47ac9301a7669de86a0c25fc606d |
| SHA512 | e65161bf1c0a0607388b6c7dbb8d197bb327103d8f872a2a46e152cb130eff4415e5cc61f236e3af52393d65bf938b61f9f71799e7e96fde076200063f264be9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 953386e3f2ac6240210eab87de42887d |
| SHA1 | c9aa1b0523826c2056fdf8af8f32b652f1e20528 |
| SHA256 | d3beddd445a5f584a070acbd51d1ab453bb723deca53940851e3b414e553beff |
| SHA512 | 3fd12583ad797ec12faf200963cbac76f2e6d152d151532dad5ce361234291e1ae61ff7bebee1dd160421ecd4d1db349a462bd80c7b41b9a55912d3008aafd58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 03357d070a4cce1d2324a71c280d5b4d |
| SHA1 | 00919cee5e18daba05322a9e335a111cd3504399 |
| SHA256 | 7a34ac26496b27f6e48fbc774d5f2090b0d5189563f593230d52ac60c8b691bc |
| SHA512 | 0b0e435984bd6a295a2fd49101d46f5fb91df09f2b54d237447198592c32d7bc3368bd179606007e0d76e3f3570c0b530f67676ee0016ff14b43bebecde0ef97 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 79f2b3429ca570c7a30beea451ccc5cd |
| SHA1 | af04c677653e4214590a33ea2a8ddfbec266df91 |
| SHA256 | aa4f80eb0afe2fe613687cf439b5da3b272ca522119e4d4f8a10766c6911d171 |
| SHA512 | d7490eeb22e34cefba365a55a08692825add6092adf4b41a16cf57c818c51039d46809bb70199db30e5b76bd8063aafb57810a52c39a94e614d4409411e6a8c5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 46a00bf6a10f192f8cb3d3e304289ece |
| SHA1 | 697dc8052859218fdb5d950fe23e7b999751fc59 |
| SHA256 | 3a655319a009e3c9917d688cf7f190df71a1956c31652b276af0c3305105d96c |
| SHA512 | 7597dc2b59edaa676bd18f28a86c4fc4f909112045a3532c5d785c2e389cc21b83bcdfbee2cf364050c0b17621bac3ab51116ddf7d3d80121cb76beb6fc1bc0d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fca1dea5670df76d12ff05b015a2a8b9 |
| SHA1 | ad38416591b6b6291cad1206fbd6ff038eb87c95 |
| SHA256 | aa34e8cc28e463596182d3be1efeec1be50691483043e06719d7896a06a7b23d |
| SHA512 | 4813c873f7cd28a32ba30a725ad33112dc2fb284bbf6f5bcf872c727777724edff2b92f18439685f7de30292efc1f8db57cd0c8cb1d5ce1acb5db60d97bc7c6f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3b4717f2fc01374a429af3d4e8962990 |
| SHA1 | b15de87501b7c8c89628b9ed65986d5bc3122ec3 |
| SHA256 | 4158fff3eca3115e6a33fdd0999335e0409185ccbdbcc3cdcaa8e2c69b705c20 |
| SHA512 | 562e6b0f3e9f2b60b605e3a044cdc670a114602ab92d5835aa424694e0ace2b3afa61fce98fa4ca84c1b5e2b94e77b930d61f00d83c925bd2cfd26d1025ad5e7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 704bcf59c1c043a521ad35e7b3ec987e |
| SHA1 | 1492577baad5ae593d6f4476a1c2d8678e495fec |
| SHA256 | da4408f037b88f7186fa84c8857360c8138c86df4dc297ad9f51394423813b24 |
| SHA512 | e42549d16c429e35d87f653534439cf8851cb6b0744957e7661574725e6df13199afcb8e704e623fe51e4e2889c6483af87a15802849a56dad53894eb2755387 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 15c1d0af308809d7eb496831f5f346f7 |
| SHA1 | 75680bcae68c8ec32bc80753c41bde041189bc31 |
| SHA256 | 2c060d22900373d9794a0da23e2c5885f2d5f2c8410a26a5a34dc9449994c5cd |
| SHA512 | b4036c72159639b38a93008191cf583017c8ce596f67354234b43ef8b2c80ee09559bfaabae6c73485ba83be585a6ea0af735a809a21bd1b7ddfb627154bd1b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2e84f16fc3fe7ad2268a1db057ef049b |
| SHA1 | ff69f0953add5c9d910279b508d4f42b704823b4 |
| SHA256 | 77326062600ba279633dfeb4f31a10375d584ec429a036beb56f97d07d1f4bd4 |
| SHA512 | 52a2d5bf3ee0661147648aadd02bd81bd7f70c801ac9bac57128692cfbbe13890237083a45b74567579d4dcc80a1431f26267e7aaeddeb262a805de36102627c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 300c21f2c5209d83b79a1004147d7354 |
| SHA1 | 5cd1afb69e6211846c23a445942d4cf3525b12b5 |
| SHA256 | 2f4aaf827766a893f2f9956094da1a100d7c04b407efa80ce55ea6765cf37f7a |
| SHA512 | c11fb98e239e07e2337c5260a5c63051687278afd15267b96e739e7c4207091cadbb2696a83c22caf155b1352e3a50f3023683c537c420942642bafaf9db8711 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a372c7032a3b5fdbf39e983c7a697122 |
| SHA1 | e6bd70d2e17f7b6a0b51558ed027ee3562cb23f0 |
| SHA256 | b68164d5dc6012c94edf1af50486afc623b78df5bfc8539cda01a0437cfddca0 |
| SHA512 | 9a8431354ce1f533268e5a20babb66cc9c7df38218061e6324485869bf637e4fa273a72a90f19a2d9c408f582d7587ccd105e51b054255cdacff2b6f36c4b9c8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 68d57a62dabe776fbd5b7b94ace3c152 |
| SHA1 | 9fbdfc84ad3d6b8eadcc2c414c9a3618f09649ac |
| SHA256 | d460db90e01c3d6926b12163d80998428e7b1a5d6161aaa845d00638b962bc31 |
| SHA512 | 892ca8ca2fa65b2a47732c47d1c986e48cdcaa85abe7ecd972d38c6060db53f07df59d5c27c1af92967c488e84a0168c9da46ae5d2154478d2fe969654809b89 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a6a89eef52f4e99aeb0ff23311ae264f |
| SHA1 | 50af03b056e485a8787e629c0480cccb6f24e939 |
| SHA256 | 4888f235a8030f6cd11c0838f389dc5d2b892c5fab7744a3c01fdb622d47eaef |
| SHA512 | 10e2c31e5c2fcdd28043273db5c8046813dc7f14701594eed8047c6805186e2d2449043ab0bc21eac937ac7776303cec7ddc1131b245669c197138e11236d90f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 589b9e05b9480387ba818eaf5078eac9 |
| SHA1 | 598e2fc7f6d722090e0a532048358032557af4ee |
| SHA256 | ab3a0b16c4c88a9b3a87ab2245ce0e6360543d345bf78459dc2a3d2cf6501720 |
| SHA512 | 5afbacb953f5d1aa0ed37097a69c3fcdbcc346a69ae88cc382da86dea6d653cf9e3e58e59957ed446f162bb298abdc5fafe7bd0f0e6a0a1e13fd0967e46dce11 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c173af154be2666aed55d9d2de153d76 |
| SHA1 | c135801bd7e00fc19b67a055d847937d07561260 |
| SHA256 | c90e5bcf02129960de0a42710468d7da2189772fc9616a10fc5d0fd320925d3e |
| SHA512 | ecd64753e6a17406e4dcb8fbff4058a167658d4b295dfcea8c4ddff58128b4e024f48b1d4be480b1fe46c2eea4d3c667a5d9877a46c2c9dc00ecc1c24055c919 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5f80ab01508eb45476416139acc5275d |
| SHA1 | e98f9b62301af27c2a2c7151a6a1179e364a0186 |
| SHA256 | 87a35df6f860bfc845ff60b24cf2ab5a8664e991a703565507d0c9b2ec5244fd |
| SHA512 | 84468fd76865a1dcf05d51005e7d591784941242dd30c2a2e6df320d8543355491d7b9ff28f990fe8b392b67b47776787e30f41cd88cdd8802840817fd6a92bc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6e6fb650a0d8e6d2024cc12e6a247a86 |
| SHA1 | 41fa4a5677b913d658259cf533737e4beabfd298 |
| SHA256 | aca66e07cd486ac56ea4c2423edb02fae7d6bd7c90ff4cedfac3d11d00ca51dc |
| SHA512 | f20110f6f4bb8260ac775aa6feaa5c51b70566f778c51102cdc4792d187223529b218fb64af1a0ea0098c28524eb3583f88934298d8f641d05e828344ca7512c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d5091c6b646f60ecbc8e00f785c931b2 |
| SHA1 | a420f6005f38e406bdbdb1bface37c2e2904cda3 |
| SHA256 | 8b4c1cc5cd90d8a2b4d81d38caa2956ddbd9073836685b9ada9492db876f2b08 |
| SHA512 | 9ce958fabbb38743d94f672ab022e6af350c2f179c69cfeec240a4e5fa3c708acad2080d7268ddf3c6aea2e7c18ab5acc72797e96531cf1205a5a2ae85ce7a12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 01ea1820fc39e5982b60ee7aa5191b69 |
| SHA1 | 9e3fa69e059787f247c4d896ba73af25bd757276 |
| SHA256 | 6e51c9c808a6cd2e8a696b23749995424968e966ce5ae4a0a06bc05653b5f526 |
| SHA512 | b29d9176b284594463a439b90370c5a7a9d4ee3ba442c61b562d008693fa500de905015b6031af72498e765bcdac314c671042a7c956a2aabe13008a1ca51204 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | db0681a3f33cac71cc69ed6ff11558b5 |
| SHA1 | bf36e2339b034760051dd642f57d8015731238de |
| SHA256 | f1b42b2e8c6a83cef27caed6b3661de29efe3b4456730714a74cb79250fd88c1 |
| SHA512 | e272b244cd877380d04ad5886e7e0e955891f3f3c0b5de607a5cc19d09f98c3a87ae5166f5b0d4d315d1de6c1b3890255f64d550318d0ea506de681695362b20 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e0e9cb5e25d3050fcec615c3efafd3e7 |
| SHA1 | de849885c76011bb6e388330f38bdbb636b0dcd7 |
| SHA256 | ff00a6ca14e95fb0be9ee5b46381343998297d05831d16d277d8cc0b2f317f28 |
| SHA512 | 54da764082a1762d07cb62fad66e60934e8ebb67fb4b4521c285f3c61c801508c24e5235a8a8080feaab08c391998731b2ce7c2282d79bc932bcc24782f91b07 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a22b37f3b74e8e1d00432380b5fe0f0d |
| SHA1 | adc644f1208610d6bb65bc0b33a8721b56cc4114 |
| SHA256 | d5277428cd5b850882ee357a9508e112d6fe90b38ca6d709b6dcf8d605ac9bf9 |
| SHA512 | 77b343334932dd3f57e516b9b8c0bc9c1e9867b9fe9d344ef9a7460606ea1088f9e44d97b50ee42806cbd7aa81a901c3b699a63b3e05e2340efd59b0808b5c04 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3a425e74882d464597debd08cefa1e49 |
| SHA1 | 6d610f8a70c34dd18e047b3692cbf52b41bc5f49 |
| SHA256 | 6e05eabda18d3a33c8737703a84ceeef26992e70bf0ef277f450b3056ba649b2 |
| SHA512 | dd6523f6b19431e8c0ff2edb27d623148859e96ea29f6cfcae22b7e4eaf912da768aef3a898ed73b4ec25b630efec0902fca1d9ef7f579367291b6d7cad71ea4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d00fc0fbfb5b4698eea622f0ec7b75da |
| SHA1 | 03eaa6414e8ddd04e8ac5f1d1d3a8cfa2986f10e |
| SHA256 | ae6432d632b874c9c9308fdd7a91d4f26e399b95fc257536c630df6a3ed9084a |
| SHA512 | 63cc49d2e2388823f5b22f3a793b6f7b365ae0c2c376665a5054df4666ff32b2998fb3a76630cf0977f6fd97c88071e25d7d737a5a2d69377a247f09628a9e50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 21649658af4a82a7a7d5fcc5960b783f |
| SHA1 | 6369e2df300b067a85b58836c00027d3b0d53616 |
| SHA256 | 9b1a6fd32c05d9979f9a7d2a178d04bfd4c59fad3762053239baab718809af75 |
| SHA512 | 2b29e578a489bef8681f87a0e147b9fed71031f4c7b94c92c2e0a1371d43b895f9fe4e94347880c79b722c8543a6b50a04d755bd3e6152ef5e50b032e75b0933 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5c14db951562f21c5a45b7ebd7676a3c |
| SHA1 | 6d6c1ba2629e05e8c71523f3140e0d760f57a98d |
| SHA256 | 03ffe971ce87ce119603054778ac1ad9839efa2ff07c82322802eb8be7092c3c |
| SHA512 | 675f44af569c181da8f3b943cd6573792a8420d7f9d6a6f3f5ecc325f3c02bdf14b479f572776f4cb188638302627a30212460e7bd1526521240ecd73ea52b56 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c8130d30c8bdeeb9324c420c79155d49 |
| SHA1 | 4a2ae06699c29458f591a2fb104f876f89542d8c |
| SHA256 | 6f2fe371c5498dac625333a7b7ad666a493c6701980428f0963628608d757b93 |
| SHA512 | 7428696b6090d3551bf8af5f276cccd696e5623627e9bc2c68306b622776d574d42c5d3f47083373e09152e4b9b715659864814caa9906022fa840010508fa55 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0400a14ecc3c8463e23f8329b71ee8a4 |
| SHA1 | 0756d2480331fe8e2843a61b6629ca4ff026bf66 |
| SHA256 | e09e128a4704c39fd4de23bb8a58379e754d8ba3f096e33222040321bc857934 |
| SHA512 | 6a4454e40b465ba6192459cd883ebd3fef704976b71d2d6f2394225b5caf86a27c50fdb2a5dbc3d123c97dc7edc59c3633e5050821f0591db3f6bc2e0d0e2e91 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1b35604ed4a4118c29dd908234051b83 |
| SHA1 | 28a0d2eadb709b90601ef50113dba17a09f87f95 |
| SHA256 | 2f62a0cd0a64ae6d5a6c8596d8f23bfa274dd63bda3d877d4a8328f763746bc3 |
| SHA512 | 9c4ece018939e63ce8d2096240fd2fc6f3eb11097b257069d8b13462142567860f5ce03730343f681a71f4f0ca1023edb9de5de0ba31ae78fcd27ef77ed3df69 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1a7ed74de592d54d51b2dcfc740e0084 |
| SHA1 | dc515528391b1a5c835e6a74895a1e9ce5f3a238 |
| SHA256 | eeb1216c4b64c504e0cf9126920d5c863f5821b450dbf2e13355e1000c5ecc47 |
| SHA512 | eb941a66f8c7cf008563ee7fb13b80db6efa0ca04adba1194a5b754934004d72a7a517968c7c79679f14c6974d3eacf760cb0ff5ed32fc39c9f12f784aaab4ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | bd46f3c56c08d0109631ab8ad0456ac2 |
| SHA1 | 54b0e175bad6761d845837cc3d428e11ec120c46 |
| SHA256 | d36b6eac0d6bd150e34408dc12419a3def9033be7e78cc5a9adb1fcfbd353d22 |
| SHA512 | c8f5dfa33103d2d5a7679a0256ed94802cef0f8928042016819180a34f50a9b5b814eec2b725ec565a9190d0ee3b2bef52188b08d0acf7fb1d27142db287be73 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 63033438b3a632450b8049929c1a5f9c |
| SHA1 | 36ac0e0c4e6f74b1db082769bc9966de3348c4e4 |
| SHA256 | 8a59630056ee3d4c42257bf201f1edc57cff896b5d80fcdd14afcf96b1c85312 |
| SHA512 | a0e5210d0efb541a6c7ed510cd103b477b717306582df8645c62a06b31efade774442aa6842e6a589fb2c8876d95974f432c1331d2568779aaf63bcdbcfaddd5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2f81af07594a1130298235763a923804 |
| SHA1 | 0f1d2fb4065768e121752c0c3b675c2717b5961d |
| SHA256 | b92a499cb0252d324c7c9b28e5a979b99f2cfdf0c0958186ee55564be5453276 |
| SHA512 | 6118059c4c9d27e4ba8cd640f59a4861dd3c03ecd23e985007ad088d119f0442db61ce1e932e38343a3ff083b1912bd0f0270afdf33ffdaf4490f8ac4c49dc63 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4c3c91e38e0eee160638bf09cd0c32db |
| SHA1 | 325aa80d01bf4f0f9893cf4604f3dcf963dec4a8 |
| SHA256 | 78fb5f32fd725febc90d4460b9187bef576078e92639d1410a1f6c21d1c1485e |
| SHA512 | 31312098573634a0fd24a33d9487d61b25d582d9be1822df6b8240742916ab96d45b5b23f4e12b11eb6ec9fd7a9cbe2410515637f143c11527969832770c2193 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 13396bb10c7042fad07b3ec059ba4de1 |
| SHA1 | 07aaba9b83c3e788b00b400fe451f86921bbed00 |
| SHA256 | c03fb8a42af12707b43d63f4ebb43975c3afd511bc14b8992276417b1fc8a172 |
| SHA512 | 011294aa3547534bcb44fac697ce6189659a9331f02be3323beef0f787a1a737aac620d77f85f5c13fc0d8d93cd89afe8ad3ddd242f2ee22e6329e1d7e783980 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7958ad99896140e85a8748b0d585a5ed |
| SHA1 | d2deab4f5f712adf4e1d95c95ed3aacdba824837 |
| SHA256 | ecfbda768fc7f206249002d663f6f4a3eba4b6c01153f618909bfee9b13d64bc |
| SHA512 | c807e80a76a421a3fc57dacef4040b157f4878396253b08ab1717e4f1ebdc805eaef7b4da168717c2be72aeef00787469b9e5fb33f0bf86c38fc223694f03db5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f4b21616310fb4d7ac506dd798f08dea |
| SHA1 | c603bc72368a256087539f0f7bd5476533a7a04b |
| SHA256 | cde05e2e7d85d4d949e2893b4bc4c64800e2cbf94d52379706190b78e39f799c |
| SHA512 | 6e7d61eab0a8dd0aa8b1e6d4be2fb8a084e5e6f0217772b8778477fd09aa9294c6a0780cb001a064a1291c7c817643e8a263e86d070117e6c4cc568b2f918348 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1de246024eb2964b17b22c450d1030a8 |
| SHA1 | 2fcfa516095c8a49780232c86cc1fec6f5463678 |
| SHA256 | abe8cfd0a43dde7089606a4eefcc5d7f4801e377623e14489622b278dc92824f |
| SHA512 | 232280b7950444fea00ec03017078be18599586a8f73173c0591cbb87d5eab6fa2ea084eb37345bb8b0cbbff43e1e5f327945eae21ed16eeb41581207cbcf036 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 80e9621a2f399d4d706345ccf1330447 |
| SHA1 | 9a1318e40f433c47f6a867bdfe8cfcc9516e5e40 |
| SHA256 | 426f287d4f1fff5bb409eacfc9dce82f1f4a41fe462f20c884f7e97cff1adc59 |
| SHA512 | 0d1412d9e0b76e13783009e77302559dab1e7ccfb712b1248eff25daf2934de26d680fdf78d2c0789fb53e4e362d94e9aa2925b20e1a2c091bff06f06dd000c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8776ef6d2c772076a8028bf0d7e1e17c |
| SHA1 | 892c1f3829a7d8a0358e0f681c42cde2ea3d9d80 |
| SHA256 | c53fc70f6b6e9485b1a3a96423f5a572deae846ae334ecf1a907c6faf3aed8fc |
| SHA512 | 8d3a5e337991b2ad9cfc0fd342b0ebc5d5353c7ae1f34de6d609f7a2af1b190f494ebfbdfacf2e6c850aaef2617aeb0022a9abe195016d8120bdb53d07dffcd0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ca9b0fdd5e34e8e1536600c63fd2fdae |
| SHA1 | 2506be70d3639cf1e36a7982c6239ac7f3efbcbc |
| SHA256 | d7a9e4cf8c124836c9d60f232da58fb2a59b3cd1f8e1949e657165473f4943a8 |
| SHA512 | 63f57e945afedf38f428aaf210a2a30efe0f1e2c6d0922185250783447b136bbf5bf3d5387a3d19d0036a38449ecfd75ca004968bff6e02d156d8d53a43fdd32 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 669abfb79da7bf3ca86eff91fdebe70a |
| SHA1 | 3dc954636f4b5e90f366e208ad11abf173e77df2 |
| SHA256 | b0cd914707039fa3df5a0f0de8bd4efa749f239bbf6df98b1fa077f0bdcfb6e4 |
| SHA512 | 7704f891d03e200ac4512147ad729a8a5fb10e0617be7ea3ad22a8385b9ee2687d0cdd188ba2e783f34a435581b060cf74dca6fc4f7735e8fff15ac31df25f75 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b8b2b2419bab311da176f7617c98599e |
| SHA1 | b08c14c3a357162d370c6d0d7c5326fc64200d98 |
| SHA256 | 265c8ed25a0ea174ffef473354e8f972edf82136783aaea354657ddcf92d59d9 |
| SHA512 | 7825aa1fbeaaa7b4b980076f9d2f9411c3b975ea6a50ad0af96b24666e7d73826c36bf365c98d61c2bce6d0e3f478d69928eec1ea540ad7c4fa8b28fe677cf42 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e43fa175ee7fbca9923c8345b8834895 |
| SHA1 | 437677aa98584e5e020ce0f2c4405c1ba22061c3 |
| SHA256 | bae847e607522dd6ada224315956213d6d269d7822d5dc3b4673c72af1054730 |
| SHA512 | 0023e7b19e4a5161884463957bfff5474bf4eca94e43aa2b28d4693da57952cd3c549c113938a7558a4b122d9d23be775b8ac49fee0ea48d6adf2244adc91453 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 52dd45e0eff86b9a02905c43d9e9b12e |
| SHA1 | b26c0468ad77ba064f70a4cbcae1cc974206d421 |
| SHA256 | bd74678127d615acb4e002e9806e55884274ca3277418f07a7322001fdd10386 |
| SHA512 | e13e15416f91070bfc2b1b21f4d29c3152f99bfc0279fb78ff853c94f7efb7fdaa12cde27b8155a61d404abafca4065b6cd79b17383fb898400dc93377c82545 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 276955ca720469e81a910d161d22c88c |
| SHA1 | 41d081356181851b28c2df142e6ee3ee20bb4054 |
| SHA256 | f12363f523e77f6f881476f828c8513d299ead920cc7369ba43538d22edc2279 |
| SHA512 | d95482e5f197e6ce2c008152651b553ac6998d4a1960ccb0292ca1820abc7ef06a3d306a36f43c098dfb8650e48396050db3a2c1e360b3442e72c88b753cadbe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d708a7d70dad943e3905392463e86fb8 |
| SHA1 | ac809ab7529601c2deb402aaf4109950d8809a2e |
| SHA256 | 4d4569c4c6ba15a7298851f340d17f968bbb833aefc0383e13ffb489aea0f450 |
| SHA512 | 3cbf60e88c3465b7af50d34c21c365c8c59893c2cf89fbc82d9eebca81f6a41146442d424c720482571f5445d8206dd8a8af5609958d2c9767ef25f1ab8febe9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9b47cf16dd5b817f3ae7b88ece069260 |
| SHA1 | fc10a198d9ee3df9c3281da20cb6dc98ce1ce3b5 |
| SHA256 | 4e6a93d0ee51fbae8ee7c3dc00bb1f2a5d3827c9e2cc261757a21ab238f5b016 |
| SHA512 | 892258950a06fc1f0e305e12eae41f74d1c4a495314dd5aab4f8973074dcdf5137fcf20de393c4d471670b3bb3030392ff2c2e9e0f1adce0729ac5ea84c75d65 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 405dc4bf7a85d9b34f62566826265d21 |
| SHA1 | 21622047de34aced2bc4ad9340b4df5a4b674d18 |
| SHA256 | 4af78ef5d15c21a68390cad387998bb165aca69eb14d41575e8e88f317ed6220 |
| SHA512 | 3447e8f303951ccd9ffaa7610ff3d8970d5d270cb47d1531160aa59e2518fd98bf77b1f625553d6e28878eaf631b215709ee9524ab90499a586a0b8da56d71f0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4fd9fb247630f7d7389d73b7353f657f |
| SHA1 | 2fdece7b0a265e7d17f3fc1fcb37d515e94d33bd |
| SHA256 | 0e7a9bbf668893603f09bc3503ee4234732f073d9e2ae10eb13d2399001e7ec2 |
| SHA512 | 6ec6aea4b7944db430f1ba054a2644ccde84d8004d81f0bb5b176e1b099bd43b0452d9e95a101d2c681519c77c0fafb939c842122bf88a7d9e9c317016d68466 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c4d84058aeee71c55d52ca84cf914b09 |
| SHA1 | 3c565ba3c3c53d96874a62380fbb22045fffabe4 |
| SHA256 | 4961a8e8dc462938e21e4b40021a65f9b22d5ebf4ca9b6317d92969555e01999 |
| SHA512 | f62468e4976bb028a4a4a3927c0ffd0fcd1a9c46bf62dac5728ebf5271fce38f69d35218205b5549fa9375412560fb877a1a23bf39ba4016765846393c9d372d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f909a133b159387aeba1ad0ba082c6ac |
| SHA1 | 89371390c64f2ec9e382d15bde0f7f6b761067c3 |
| SHA256 | fd2a152a6628ae3296422c9aa3ce9ff983bb6e43af555069190ba26b8b2aa0b0 |
| SHA512 | 3974de380497ee01b58f45ebe468079007cadc3e52990f5036db094d0478dcd2a58c4653ddf548404efd9ff549fe7a4315b8f3666371a8481e6bb19211f9eaa7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3b889087b895c30e2122046756d2b5aa |
| SHA1 | 6819b78aeceb5a8162425bf9f1c42c102958883d |
| SHA256 | 41fbfe6ea2fadee17bfd5b7b5b37291eaa61dfa58515d249ac7abba6ff324e11 |
| SHA512 | ce6bed79e23f62cd759449d17eceb8e3525bf24f3e06a7a604371d78b4f28dbb9003290bf77e21de35c6522fb0aa8cbb9ea8e25e4b864647543c74d44115c790 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 961ff3a17c073e42cbb1727d6b3e72f0 |
| SHA1 | 1d62ea16c13f1ea6a85aa9fb2da9794cefd617ff |
| SHA256 | 00a27da03006faf6b0c4fa2bcbc20c2f3c9a9645a1bfa1c0ec12caa7e4f577bc |
| SHA512 | 895c3033da9adae73dfb15fd51da006d57be1e8e1402652190efc80a8aa7fa71d9f9c76fb0ba38b94904fdd65cf79e057326e90075d5f8b2b0e3c4d972d20a26 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | eda87a31896c7f4a6c1a8434b092b886 |
| SHA1 | 27414781004e26984332a57dac9a6a3dd0410b86 |
| SHA256 | 4c91131cd7301c02b2773a9d4d29c1439153efd4f2f38df206bcb5bdbfeebb36 |
| SHA512 | c8d0928dabedd423f91d16e994787744a5435bb0846439871fc501c4e026b218d8b2f7cb52e3b168695cf4a4cb1011dd027fc6b9ec6dab0801f8e0bccf4f0b4c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7e59290b5c022704eb2846ca00b7a612 |
| SHA1 | 27bf5293c433350aa89f517a987f34f95de15d42 |
| SHA256 | ba19befe60d07596a593cfac2eb658d5bc359f2fcd300816517e4758a1f39d2e |
| SHA512 | c87d994aa275f02bc14a008e1485277163074923d986b7edcac4072d78f6e84b0d5a0ce30102344b12ad66ca8f3e7a2a83963655d806f643f81c99e57a929a9c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ea02638d0af899cb73453e0507908693 |
| SHA1 | 1409e67480894aaa2587d818a53a28950600e5da |
| SHA256 | 5d5a966027770727444603e801534bc82ab58ac601f9b1228519412bc611ea9a |
| SHA512 | 9f8bb4dde121796cbb0cbe0d054bab8b85af744d11fa72c58a1902d67ae87ab222bdfe881d31f773ad1dbd760444661092a8c30458185819df5e50e0c00f0195 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:10
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1798s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\xm.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xm.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
Enumerates connected drives
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\xm.exe
"C:\Users\Admin\AppData\Local\Temp\xm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | rvozym.com | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | yeelxh.com | udp |
| US | 185.230.63.171:443 | luzbid.com | tcp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | ilo.brenz.pl | udp |
| US | 8.8.8.8:53 | ant.trenz.pl | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| DE | 88.198.69.43:80 | tcp | |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
| US | 8.8.8.8:53 | mhddos.lyjq.org | udp |
Files
memory/2136-0-0x0000000000400000-0x0000000000409800-memory.dmp
memory/2136-2-0x0000000077054000-0x0000000077055000-memory.dmp
memory/2136-3-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2136-1-0x0000000077054000-0x0000000077055000-memory.dmp
memory/2136-4-0x0000000077055000-0x0000000077056000-memory.dmp
memory/2136-5-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2136-6-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/2136-7-0x0000000000400000-0x0000000000409800-memory.dmp
memory/2136-14-0x0000000000400000-0x0000000000409800-memory.dmp
memory/2136-16-0x000000007FE70000-0x000000007FE7C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:40
Platform
win11-20241007-en
Max time kernel
433s
Max time network
1159s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bj.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ahunvnjbdb | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\apjheqlyqv | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\axwaltnwdq | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bj.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\ktqutyevif | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4108 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\bj.exe | \??\c:\users\admin\appdata\local\ktqutyevif |
| PID 4108 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\bj.exe | \??\c:\users\admin\appdata\local\ktqutyevif |
| PID 4108 wrote to memory of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\bj.exe | \??\c:\users\admin\appdata\local\ktqutyevif |
Processes
C:\Users\Admin\AppData\Local\Temp\bj.exe
"C:\Users\Admin\AppData\Local\Temp\bj.exe"
\??\c:\users\admin\appdata\local\ktqutyevif
"C:\Users\Admin\AppData\Local\Temp\bj.exe" a -sc:\users\admin\appdata\local\temp\bj.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1096
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3272 -ip 3272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 708
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1136 -ip 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 980
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conf.f.360.cn | udp |
Files
memory/4108-0-0x0000000000400000-0x0000000000432800-memory.dmp
memory/4108-6-0x0000000002010000-0x0000000002084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msiB779.tmp
| MD5 | 4f407b29d53e9eb54e22d096fce82aa7 |
| SHA1 | a4ee25b066cac19ff679dd491f5791652bb71185 |
| SHA256 | cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc |
| SHA512 | 325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183 |
memory/4108-8-0x0000000000401000-0x0000000000402000-memory.dmp
memory/4108-17-0x0000000000400000-0x0000000000432800-memory.dmp
memory/1648-23-0x0000000002160000-0x00000000021D4000-memory.dmp
memory/1648-25-0x0000000000400000-0x0000000000432800-memory.dmp
memory/1648-24-0x0000000002160000-0x00000000021D4000-memory.dmp
memory/4108-16-0x0000000002010000-0x0000000002084000-memory.dmp
\??\c:\users\admin\appdata\local\ktqutyevif
| MD5 | 2e026bd0e0d686343274db104753850e |
| SHA1 | 951022e35f37755f4406483b30937eca73683430 |
| SHA256 | cff0c6bd02e50018606d67f01962fff054b8e02698a6484b816089b02dc3083f |
| SHA512 | c7c942235d706777ec2f18d4e03a3f2147446c1e9ac3b48c6bb029fbce4c84bf066e3e3dfa9e6768e1253dab637e54723f24d22f6fbd19a0f947afcf9462c5c3 |
memory/1648-13-0x0000000000400000-0x0000000000432800-memory.dmp
C:\ProgramData\DRM\%SESSIONNAME%\wnqvs.cc3
| MD5 | 40ec667ea3748cfe3d46de0789c2bb19 |
| SHA1 | f2f472dbfc03b357904b26485bf57e98c30063c5 |
| SHA256 | f36369422c807bfa6eb0b48f92cc2dfff414acb9be6c1acc70b048c63c4c1f49 |
| SHA512 | d763752a8a97369bcdcbe4f860c8916ca6f2b8c999e92055e025d3c061071166ff1c541d535b5bde5c69f41306f885f9e1c0e8101c2f278e1e1adaa6ed0ed24a |
memory/1648-31-0x0000000000400000-0x0000000000432800-memory.dmp
memory/1648-30-0x0000000002160000-0x00000000021D4000-memory.dmp
memory/4184-32-0x0000000001540000-0x0000000001541000-memory.dmp
memory/4184-34-0x0000000020000000-0x0000000020027000-memory.dmp
memory/3272-36-0x0000000001DD0000-0x0000000001DD1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | c39b366a974fc29f0b4953e34ec776da |
| SHA1 | b00881070a0316bb2fafb878cfab1caeaba33010 |
| SHA256 | 852b22e67c90d89820cb7f6de38cb4be47eec6d065b3385ae1b80114a677783e |
| SHA512 | e9473ab451a4f624be4939c97a9c9173e629e9adb2f132fbd0e8746c8e0414e945e25e688ebd6293adfc30072e5ec18ffc4340c7bbe0bfcae3e8b569905e0bf2 |
memory/3272-39-0x0000000020000000-0x0000000020027000-memory.dmp
memory/1136-41-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | b7048070ea552554e2ddfa5785f449ad |
| SHA1 | 9cc89845c286b20e3d4b11e854f1b056854e428a |
| SHA256 | 835a7ba3312670b25ca34c28038b499062c983fddb4f0c7cf14c42faad3bcd26 |
| SHA512 | 8940f16f7f5c2b4f32fca3b2164f4a16510bd31eb78b68a3d868964d173e534c62d4dd023c2165e45bad8a488cea5c8c074d396eff12f945eb08c7b2ccc335d8 |
memory/1136-44-0x0000000020000000-0x0000000020027000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:51
Platform
win11-20241007-en
Max time kernel
430s
Max time network
1155s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dhl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dhl.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\ciqwsivbnl | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\cqeqblyxbh | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchost.exe.txt | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\cysjjobvnc | C:\Windows\SysWOW64\svchost.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dhl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| Token: SeBackupPrivilege | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| Token: SeRestorePrivilege | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dhl.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\kmucwsrpnf | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\dhl.exe | \??\c:\users\admin\appdata\local\kmucwsrpnf |
| PID 3560 wrote to memory of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\dhl.exe | \??\c:\users\admin\appdata\local\kmucwsrpnf |
| PID 3560 wrote to memory of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\dhl.exe | \??\c:\users\admin\appdata\local\kmucwsrpnf |
Processes
C:\Users\Admin\AppData\Local\Temp\dhl.exe
"C:\Users\Admin\AppData\Local\Temp\dhl.exe"
\??\c:\users\admin\appdata\local\kmucwsrpnf
"C:\Users\Admin\AppData\Local\Temp\dhl.exe" a -sc:\users\admin\appdata\local\temp\dhl.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4036 -ip 4036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 896
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3592 -ip 3592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 784
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1108
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | conf.f.360.cn | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3560-0-0x0000000000400000-0x0000000000432800-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zqiA6FE.tmp
| MD5 | 4f407b29d53e9eb54e22d096fce82aa7 |
| SHA1 | a4ee25b066cac19ff679dd491f5791652bb71185 |
| SHA256 | cf0ecf30fc95800a34105acb9bcb484bb594a35b3ef26ace8f122af4f9f888dc |
| SHA512 | 325f7b599455195101e4c0dafd3654906d20ed2c1ce2a5f38784635e16ab545df6ee44a83bed6128239be2dee5be110552c7b246b7f52482ab31552e14b54183 |
memory/3560-5-0x00000000007D0000-0x0000000000844000-memory.dmp
memory/3560-8-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\kmucwsrpnf
| MD5 | 654661d5582d618322b34aff46730b68 |
| SHA1 | 8f21e3972448ab2b35ac5de210b911524c3e65c2 |
| SHA256 | 21cc5d31d33788bd77b55ae4e72395c64e59d4ec0f2631ff5972cf114e9c76f1 |
| SHA512 | 53abe3f33c39e494ff048c3429ebda9f7b19e6167adddd8e811a578b624842edb89a8bdc49d12c84031a1a4a2bfc83c2894da4c4c07b27fc0e49a3f715d31c22 |
memory/3560-23-0x00000000007D0000-0x0000000000844000-memory.dmp
memory/844-25-0x0000000000400000-0x0000000000432800-memory.dmp
memory/844-24-0x0000000000780000-0x00000000007F4000-memory.dmp
memory/3560-22-0x0000000000400000-0x0000000000432800-memory.dmp
memory/844-15-0x0000000000400000-0x0000000000432800-memory.dmp
\??\c:\programdata\drm\%sessionname%\pmhos.cc3
| MD5 | 21e59a86fbb9ce69b28ccfd9f4a7db4b |
| SHA1 | ded5c6fe3e1281b19fb53809f55b90d1b1bed2c8 |
| SHA256 | 824000f3e1c86a9385512bc5afe076ef1ddf16afa39e8a48eaabb741fbe0bc02 |
| SHA512 | 9a9dbdf0ec6d335a09b8c91c8a7df915e8b2a93dcc581d0937fe72f40da03bf6cfa3acf031b635ff0ea57dddaa6746620379d9655bc849284670fb150e939390 |
memory/844-30-0x0000000000780000-0x00000000007F4000-memory.dmp
memory/844-31-0x0000000000400000-0x0000000000432800-memory.dmp
memory/4036-32-0x0000000001940000-0x0000000001941000-memory.dmp
memory/4036-34-0x0000000020000000-0x0000000020027000-memory.dmp
memory/3592-36-0x0000000002280000-0x0000000002281000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | 49cf2e0a63b92f851dafe17f54eb7245 |
| SHA1 | 65551682c03a031d8d6eab4bf67aa7fe8fe73725 |
| SHA256 | a02f48f8dad5bc2d1d0a7cd317ee0cd6e421486d4d0cd7d6e60e6061f9dedc24 |
| SHA512 | efaa9d2e199e81c52da180e54ded59e2dd16969ed6bf9511575433c68da80895b461748e974e6d329d0a6c0ded479aac37ea03849803738832ad52691c412caf |
memory/3592-39-0x0000000020000000-0x0000000020027000-memory.dmp
memory/1924-41-0x0000000001AE0000-0x0000000001AE1000-memory.dmp
C:\Windows\SysWOW64\svchost.exe.txt
| MD5 | 39412ef53796475fa17df1d46ac1bc0b |
| SHA1 | 1dc46930635660e4f7c57fc5ac3b4f53724d1d6e |
| SHA256 | 866255af95c6b1405f8dc1aebfdfc8dd625f015413d3e8a89b98b7fe464afadf |
| SHA512 | 7a5ac56726bbb05cdac605a02a61421ba46c1bc75cfb721f308c85779de965f5a534aaafce35438c294b1c62dc1d3e87b35486a0fdaa72730458d48d73acf016 |
memory/1924-44-0x0000000020000000-0x0000000020027000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:51
Platform
win11-20241007-en
Max time kernel
435s
Max time network
1160s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\java
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:52
Platform
win11-20241007-en
Max time kernel
442s
Max time network
1161s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\java1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 00:40
Platform
win11-20241007-en
Max time kernel
433s
Max time network
1156s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\arm1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:00
Platform
win11-20241007-en
Max time kernel
442s
Max time network
1163s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mips
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:01
Platform
win11-20241007-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\nslfoo\svchost.exe | N/A |
Indicator Removal: File Deletion
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\nslfoo | C:\Users\Admin\AppData\Local\Temp\se.exe | N/A |
| File created | C:\Program Files\nslfoo\svchost.exe | C:\Users\Admin\AppData\Local\Temp\se.exe | N/A |
| File opened for modification | C:\Program Files\nslfoo\svchost.exe | C:\Users\Admin\AppData\Local\Temp\se.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\se.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\nslfoo\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\nslfoo\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\nslfoo\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\se.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\se.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1980 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\se.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1980 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\se.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\se.exe
"C:\Users\Admin\AppData\Local\Temp\se.exe"
C:\Program Files\nslfoo\svchost.exe
"C:\Program Files\nslfoo\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\se.exe > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
| US | 8.8.8.8:53 | www.gm520.org | udp |
Files
C:\Program Files\nslfoo\svchost.exe
| MD5 | b7b347f1aebf2ef10369faf14e0bb2fb |
| SHA1 | 258e9a1ec916d66b510849192fba6c05fdcdaec7 |
| SHA256 | 589b185221797c8dc67bc586f8c2e3c463a06771e53744afa082c04be7fe5763 |
| SHA512 | 4baa49881edb3dea09d6ba8a71cbbcfc597a94657ef2265a5bffb38d2d481579e4215c5674360d490bd3a2913017b606c7e14564db64f645d910e809271b44d3 |
Analysis: behavioral27
Detonation Overview
Submitted
2024-12-07 18:43
Reported
2024-12-08 01:07
Platform
win11-20241007-en
Max time kernel
447s
Max time network
1167s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\win.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\win.exe:*:enabled:@shell32.dll,-1" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jwhk.exe = "C:\\Windows\\WindowsUpdata\\jwhk.exe" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WindowsUpdata\.temp.fortest | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| File created | C:\Windows\WindowsUpdata\jwhk.exe | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdata\jwhk.exe | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\win.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\win.exe
"C:\Users\Admin\AppData\Local\Temp\win.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1552-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1552-2-0x00000000771F4000-0x00000000771F5000-memory.dmp
memory/1552-3-0x00000000771F5000-0x00000000771F6000-memory.dmp
memory/1552-1-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1552-4-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1552-5-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1552-9-0x000000007FE70000-0x000000007FE7C000-memory.dmp
memory/1552-12-0x0000000000400000-0x0000000000429000-memory.dmp